New U.S. Cybersecurity Strategy Revealed

After meetings at NATO and the Supreme Headquarters Allied Powers Europe on cybersecurity, U.S. Deputy Defense Secretary William J. Lynn III detailed the Defense Department’s new cybersecurity strategy at a Brussels gathering sponsored by the Security and Defense Agenda this week.

Reprising comments he made in a recent article published in Foreign Affairs magazine, Lynn identified five “pillars” to the strategy.

The first is simply recognizing that cyberspace is a new domain of warfare, on a par with air, sea, land and space. “We need training, we need doctrine, we need all the elements we apply to any other domain,” he said. “That’s the fundamental reason that the U.S. stood up the United States Cyber Command.”

The strategy’s second pillar involves taking a stance that passive defenses are not adequate. The two main passive defenses – simple computer hygiene and firewalls – will catch about 70 to 80 percent of the attacks, Lynn said. To get the rest, “We need active defenses, using sensors that are able to act at network speed to detect and then block the attacks on our networks.” Also required, according to Lynn, is “the ability to hunt and attack on your own networks to get the intruders who do get past the initial defenses.”

The third pillar of the new strategy is ensuring the safety of critical civilian infrastructures. “It won’t do any good to protect military networks if your power goes down,” said Lynn.

Collective defense is the strategy’s fourth pillar. Lynn likened this pillar to the Cold War strategy of shared early warning. “Just as our missile defenses have been linked, so too, our cyber defenses have to be linked as well.”

The fifth pillar is keeping the technological advantage the U.S. now enjoys. “We have a lead in information technology, and it is critical to both our security and our economies to maintain that,” said Lynn. This assertion, however, is called into question by the recently released 2011 Global State of Information Security Study by CIO, CSO and PricewaterhouseCoopers, which paints a gloomier picture, at least in respect to security. According to that report, Asian companies are more likely to acknowledge that the increased risk environment has advanced the role and importance of the security function, and they are more focused on data protection than those in other regions, at least in the private sector. Additionally, the report states, Asian companies are more proactive at addressing emerging practices such as implementing security technologies supporting Web 2.0 exchanges.